top of page

How can FCA-regulated firms master operational resilience in a VUCA world?

Updated: 3 days ago

We’ve all learned the hard way – with March of 2020 holding particular significance – that disruption comes in many forms. And we can’t always predict what’s around the corner.


Ongoing pandemic implications, market uncertainty, economic volatility, supply chain struggles, talent shortages, cybersecurity and climate risk are all concerning global trends for businesses to watch in 2024 and beyond. 


It’s no longer good enough to have a disaster recovery plan, ISO accreditation and yearly audits. Today, those checks are the absolute minimum baseline. Compliance standards do not consider the specifics, such as the organisation’s business model, strategy and value proposition. Being merely compliance-driven does not guarantee an increase in resilience, nor does it enable the build of governance processes that are fit-for-purpose. 


Operational resilience is more than an FCA regulatory requirement; it is an essential long-term strategy for progressing on wider company goals and increasing stakeholder interests such as sustainability and ESG.

 

Operational resilience is no longer optional


Earlier this year, the UK’s Financial Conduct Authority (FCA) set out new regulatory standards for Operational Resilience, creating a new mandatory framework for banks, building societies and other specific financial institutions. The European Commission is following suit with its Digital Operational Resilience Act (DORA), as is the Australian Prudential Regulation Authority (APRA)


The FCA’s new rules came into effect on 31st March 2022, giving financial services firms just three years to embed appropriate metrics and controls to measure ‘important business services’ and set ‘impact tolerances’. To maintain compliance with the new standards, financial services firms must be able to evidence they are operating within their impact tolerances no later than 31st March 2025. 


Operating within this framework will help FCA-regulated firms understand and evidence that - should a critical system fail - they can continue to operate without serious adverse effects on the business and their customers. 

 

Staying ahead of disruption and regulatory risk


The term ‘operational resilience’ has been around for years, but it has steadily been gaining more traction since the first waves of COVID-19 and the resulting risks, which encompassed everything from cyber crime to supply chain shortages.


On the surface, the definition of operational resilience sounds simple: ‘the ability of firms…to prevent, adapt and respond to, recover and learn from operational disruption’ (FCA). In practice, however, this is incredibly complex.


As an organisation, you need to create an operational resilience framework taking a holistic view of your business, operations, finances, governance, regulation and compliance, information security, ESG impact and more. All core elements of the business need be ‘operationally resilient’ by design as organisations grapple with significant uncertainty and emerging risks.


You’ve got to be certain of the scope and the ways in which the business is looking at its risk and looking after those risks on a daily basis. Risk management is often undertaken by various teams in differing ways. To understand the organisation’s position, you need to be able to view all these risks together as a whole, understanding how they will impact the entire organisation.

 

Use the opportunity to get your firm in order


The good news is that the scope of operational resilience provides a thorough lens across these issues and how organisations can, and will, perform when (not if) a critical event arises - whether it’s a one-off event like a cyber breach or a sustained impact such as COVID-19.


More than that, viewing operational resilience holistically not only benefits the business, but also gets you ahead of the curve on what is becoming increasingly mandated regulation on ESG aspects, like the German Supply Chain Due Diligence Act. Global mandated regulations are increasing. Disclosures of this kind will soon be mandatory for business. The foundations of GRC and Operational Resilience provide a leg up to support the business across these areas.


Getting your Governance, Risk and Compliance (GRC) processes right is not only key to your success but is increasingly becoming a ‘ticket to play’ to stay on top of and address the ever-changing risk landscape and arguably, to exercise duty of care and diligence as these risks are now a core governance concern.


The lifeblood of your business is in its critical processes – the way day to day operations are set up to run, how information is distributed and secured, and ultimately, how decisions are made.

 

Meet FCA requirements with the leading Operational Resilience solution


Identify important business services, set impact tolerances, and map all of them in a simplified dashboard view with Drova GRC.


By using Drova GRC to manage operational resilience, you can ensure that you can easily evidence your important business services and that you are reviewing them on a regular basis. Reporting outputs highlight any services that were deemed to be outside of your firm's impact tolerance and what remedial actions were taken. Scenario testing can be recorded on a regular basis and upon a material change to your firm.




Subscribe to join the Drova community and keep up to date with the latest news, trends and insights in ESG and GRC.

Read more

bottom of page